[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 19 Jun 2014 16:23:55 +1000
From: Murray McAllister <mmcallis@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: mod_wsgi group privilege dropping [was Re:
Security release for mod_wsgi (version 3.5)]
Hello,
Could a CVE be assigned to the way mod_wsgi handles group privilege
dropping (logs error but continues running if group privilege dropping
fails):
http://seclists.org/oss-sec/2014/q2/545
http://seclists.org/oss-sec/2014/q2/555
For the off-by-one error reported by Matthew Daley:
http://seclists.org/oss-sec/2014/q2/566
I am not familiar enough to know whether any privilege boundaries are
crossed here, or if a user can influence anything.
Both of these issues have been fixed in the 4.2.4 release:
http://modwsgi.readthedocs.org/en/latest/release-notes/version-4.2.4.html
Thanks,
--
Murray McAllister / Red Hat Product Security
On 06/18/2014 09:27 PM, Graham Dumpleton wrote:
> Fixed and released in mod_wsgi 4.2.4. Available through the normal download locations for mod_wsgi.
>
> https://github.com/GrahamDumpleton/mod_wsgi/releases
> https://pypi.python.org/pypi/mod_wsgi
>
> Thanks for highlighting the issues.
>
> Graham
>
> On 18/06/2014, at 8:43 PM, Graham Dumpleton <graham.dumpleton@...il.com> wrote:
>
>> I saw the email as it popped up in my twitter feed of all places.
>>
>> Am about to make a release which improves the error handling and the one off error.
>>
>> Graham
>>
>> On 18/06/2014, at 8:03 PM, Solar Designer <solar@...nwall.com> wrote:
>>
>>> On Wed, Jun 18, 2014 at 08:08:10PM +1200, Matthew Daley wrote:
>>>> I may be wrong as I haven't been following this discussion entirely, but...
>>>
>>> I think Graham is not on oss-security. CC added.
>>>
>>> Graham, please comment on the potential off-by-one bug reported by
>>> Matthew below:
>>>
>>>> On Wed, Jun 18, 2014 at 12:39 AM, Graham Dumpleton
>>>> <graham.dumpleton@...il.com> wrote:
>>>>> This feature was added for one specific user and wouldn't be a well known feature unless people were reading change notes diligently as don't believe it is even covered in the documentation.
>>>>>
>>>>> Given that this code also only executes as root, the only error which could technically arise in this code for setgroups() is if the number of groups exceeded NGROUPS_MAX.
>>>>>
>>>>> This should not occur though as the number of groups was previously validated when the configuration was read:
>>>>>
>>>>> if (groups_list) {
>>>>> const char *group_name = NULL;
>>>>> long groups_maximum = NGROUPS_MAX;
>>>>> const char *items = NULL;
>>>>>
>>>>> #ifdef _SC_NGROUPS_MAX
>>>>> groups_maximum = sysconf(_SC_NGROUPS_MAX);
>>>>> if (groups_maximum < 0)
>>>>> groups_maximum = NGROUPS_MAX;
>>>>> #endif
>>>>> groups = (gid_t *)apr_pcalloc(cmd->pool,
>>>>> groups_maximum*sizeof(groups[0]));
>>>>>
>>>>> groups[groups_count++] = gid;
>>>>>
>>>>> items = groups_list;
>>>>> group_name = ap_getword(cmd->pool, &items, ',');
>>>>>
>>>>> while (group_name && *group_name) {
>>>>> if (groups_count > groups_maximum)
>>>>
>>>> This is an off-by-one error, isn't it? As in, it should be testing for
>>>> groups_count >= groups_maximum and not the current test.
>>>>
>>>>> return "Too many supplementary groups WSGI daemon process";
>>>>>
>>>>> groups[groups_count++] = ap_gname2id(group_name);
>>>>> group_name = ap_getword(cmd->pool, &items, ',');
>>>>> }
>>>>> }
>>>>>
>>>>> Thus was pre-validated input.
>>>>
>>>> - Matthew Daley
>>
>
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
